GDPR Compliance for Start-Ups

If you're starting a business and you wish to target EU customers, then you must comply with the EU's General Data Protection Regulation (GDPR). The regulation sets rules for when your business can collect or process someone's personal data, and there are steep financial penalties for companies that fail to comply.

GDPR compliance can be complex, but there are various steps you can take to ensure your new start-up follows the rules.

To help you understand how the regulation applies to your new business, here is a breakdown of GDPR compliance for start-ups.

The GDPR

The EU's General Data Protection Regulation is undoubtedly one of the world's most comprehensive privacy laws.

The Regulation, which came into force on 25 May 2018, protects what's known as "personal data." Personal data is defined in Article 4 of the GDPR as any information which can be used to identify a specific person.

There's no limit as to what may be considered "personal" data. However, if a piece of data allows you to identify someone, then you should treat it as legally protected personal information.

The GDPR regulates personal data "processing." As per Article 4, processing means how a business collects, records, stores, structures, or shares personal information.

The GDPR also protects "special category" data. Special category or "sensitive" data includes but isn't limited to information on:

• Race
• Sexual orientation
• Medical history
• Religion

Who Must Comply With the GDPR

You must comply with the GDPR if your business meets any of the following criteria:

• You sell goods or services to EU individuals, or
• Your business collects or processes data belonging to EU individuals

It doesn't matter where your start-up is located. If you're a commercial business and you have EU customers, or you collect data belonging to EU residents, then the GDPR applies. Even if you're not directly targeting EU customers but your website attracts traffic from EU countries, then the GDPR applies.

In most cases, it's best just to assume the GDPR could affect your commercial business and take steps to be in compliance.

Data Processors and Data Controllers

The GDPR makes a distinction between "data controllers" and "data processors."

• Data controllers: The controller is the business which decides to collect the data. They determine what data they need, why they need it, how it's used, and who they'll share it with. Data controllers can be online stores, for example.
• Data processors: The processor is responsible for processing personal data on behalf of the controller, for example, a payment provider or cloud provider.

Your obligations vary depending on whether you're a controller or processor. Controllers face tougher compliance rules than processors, so it's important to know which group you fall into.

Controllers are responsible for ensuring that their processors comply with any applicable GDPR rules. According to Article 25, they're also responsible for complying with GDPR principles to safeguard personal data.

And according to Article 29, processors must follow a controller's instructions for processing data. They can't use it for any purpose unless it complies with the controller's instructions.

How Start-Ups Can Comply With the GDPR

To help you grow your start-up and collect personal data legally, here's a breakdown of the 10 main steps you should take to ensure your start-up achieves GDPR compliance.

1. Audit the Data You Collect

Determine if you collect personal data and whether you collect any special categories of data.

We've already covered the definition of personal data; however, here are some examples of data which should be considered "personal," some of which are less obvious than others:

• Name
• Email or home address
• IP address
• ID numbers e.g. passport number, driver's license number
• Cookie IDs
• Usage data

Chances are you collect at least some form of personal data, so at this point, start thinking about what personal data you collect, why you need it, how you'll store it, and what you plan on using it for.

Ask and answer those same questions if you collect any special categories of data.

2. Appoint Required Personnel

Next, you must know if your start-up requires any specific personnel.

Under the GDPR, some start-ups must appoint a Data Protection Officer (DPO). A DPO is responsible for:

• Advising the data controller (or processor) on relevant GDPR rules,
• Liaising with relevant Data Protection Authorities, and
• Monitoring GDPR compliance

When You Need a DPO

You must appoint a DPO if your start-up meets the criteria set out in Article 37 of the GDPR. Every start-up that does the following needs a DPO:

• Regularly monitor data subjects (individuals) on a large scale, or
• Process special categories of data (i.e. sensitive information) on a large scale

For example, you may need a DPO to process large volumes of healthcare data or if you perform behavior monitoring or tracking. Even if you don't need a DPO, you may find it helpful to appoint one to ensure GDPR compliance.

3. Know the GDPR Data Processing Principles

If you process personal data, you must abide by six specific principles described in Article 5. We can summarize them as follows:

• Lawfulness: You must process data transparently and lawfully.
• Purpose limitation: Data should only be collected and used for a specific, clearly defined purpose.
• Data minimization: Businesses should only collect as much data as they need to achieve this purpose.
• Accuracy: A business should, where possible, ensure the data they have is accurate.
• Storage limitation: Personal data should not be kept for longer than necessary unless it's to satisfy a legal requirement.
• Integrity: Businesses must take steps to protect data confidentiality.

As mentioned earlier, the data controller is responsible for following such rules and upholding these principles.

Chances are your start-up is a data controller, so ensure you abide by the GDPR principles for data processing.

4. Know Your Legal Basis for Processing

Under the GDPR, you need a specific, lawful reason for processing personal data. The GDPR sets out six legal grounds for data processing in Article 6.

Processing is only legal if:

• The individual consents to your business using their data for a set purpose,
• You need the data to perform a contractual duty towards the individual,
• The only way to comply with a legal obligation is to process the data,
• Processing the data allows you to protect the person's vital interests,
• You're carrying out a task in the public interest, or
• You must process the data to pursue legitimate business interests

For example, someone may consent to you using their data for marketing purposes. Or, you might need their financial details and home address to process an online order.

In short, you must have a legal basis for collecting the data. Otherwise, you can't process it.

5. Minimize Personal Data Collection

Don't collect more data than you need to fulfill a certain task.

For example, you probably don't need someone's full name to send them online newsletters. You might collect their first name only then, or better yet, just an email address.

Here's an example from an online baking blog, Something Sweet Something Savoury:

For start-ups, here's an easy way to think about "data minimization:" If you can't justify why you need a piece of data, don't collect it.

6. Draft a Privacy Policy

A Privacy Policy sets out your company's policies for collecting and processing data. It should be titled something like "Privacy Policy" or "Privacy Notice" so people understand what it is.

Every GDPR-compliant Privacy Policy must include clauses explaining:

• The categories or type of personal data you process e.g. names, email addresses, IP addresses
• Why you need the data
• Your lawful basis for processing
• Who you share the data with
• What rights people have and how they can exercise them
• Your business contact details

Display your Privacy Policy somewhere obvious so customers can read and agree to it before using your site or buying your products. For example, Gymshark has a link in its website footer:

For more tips on where to place your Privacy Policy, check out our article: Where to Add Privacy Policies on Websites and Apps.

7. Set Up Processes for Obtaining Consent

If you rely on "consent" as a legal basis for processing, then you must obtain consent which is freely given, informed, unequivocal, and express i.e. obvious.

Here are some quick tips:

• You should get consent to use any cookies which are not strictly necessary.
• Implied consent or "pre-ticked" checkboxes don't count. Consent must be affirmative.
• To get affirmative consent, have users check a box next to an "I Agree" or similar statement.

Here's an example of a cookie banner from Something Sweet and Something Savoury:

You must also ensure people know they can revoke consent at any time and explain how they can do this.

8. Implement Security Safeguards

As a start-up, you must take proportionate steps to protect personal information from any unauthorized access. What's proportionate varies depending on, for example, what type of data you collect and the size of your business.

However, here are some basic steps every start-up should take to protect personal data.

Perform Data Protection Impact Assessments (DPIAs)

A Data Protection Impact Assessment allows you to identify vulnerabilities and manage any security risks. They're not always necessary but you will need to perform one if you:

• Process data on a large scale,
• Collect data for profiling or monitoring purposes, or
• Undertake a new project which requires you to process personal data

DPIAs are described in more detail in GDPR Article 35.

Even if you don't need a DPIA, you should perform a risk assessment to ensure you know how best to protect personal data.

Secure Personal Data

Techniques for protecting personal data include:

• Using encryption where possible
• Securing WiFi networks
• Enforcing the use of strong passwords

Seek IT support if you need help setting up a GDPR-compliant environment.

9. Set Up Any Necessary Data Processing Agreements

If you're a controller, you must set up a formal Data Processing Agreement with processors. The agreement will define how the processor can use the data.

You may also need to register with a Data Protection Authority (DPA).

If your business is based in an EU country, register with the DPA in that country. For businesses based outside the EU, register with the DPA in the country where you perform most of your activities. For example, if you mainly sell to UK customers, register with the UK DPA.

10. Review Your GDPR Compliance

For any business, including start-ups, GDPR compliance doesn't stop. So, you must regularly audit activities such as:

• The type of data you process
• Your data security measures
• Any training you or staff members may need
• How you record consent (if required)

Failing to Comply With the GDPR

Under the GDPR, you may face severe financial penalties if you don't meet your GDPR requirements. The fines are set out in GDPR Article 83.

• The financial penalty depends on how you breached the GDPR rules
• Fines can be as much as 4% of your global annual turnover or 20 million Euros, whichever is the highest amount

The fine must be proportionate to the severity of the breach.

For a start-up, any financial penalty could severely limit your growth prospects. Always seek legal advice if you need help complying with your obligations.

For more guidance, check our article: How to Avoid GDPR Fines.

GDPR Compliance for Start-Ups: Summary

Start-ups with EU customers must comply with the EU's GDPR.

Here is a checklist summarizing the 10 main steps you should take to meet the legal requirements:

• Appoint a DPO if you need one
• Learn the GDPR principles
• Understand what data you collect
• Where possible, reduce the data you're collecting
• Determine your legal basis for processing
• Publish a Privacy Policy on your website
• Set up necessary consent mechanisms e.g. cookie banners and "I Agree" checkboxes
• Ensure that your infrastructure is sufficiently secure
• Register with a DPA and set up any necessary agreements
• Review your processes regularly